Abstract:

An embodiment of the present invention provides a method that minimizes
the number of entries required in a garbled circuit associated with
secure function evaluation of a given circuit. Exclusive OR (XOR) gates
are evaluated in accordance with an embodiment of the present invention
without the need of associated entries in the garbled table to yield
minimal computational and communication effort. This improves the
performance of SFE evaluation. Another embodiment of the present
invention provides a method that replaces regular gates with more
efficient constructions containing XOR gates in an implementation of a
Universal Circuit, and circuits for integer addition and multiplication,
thereby maximizing the performance improvement provided by the above.

Claims:

1. A computer implemented method for executing secure function evaluation
defined by a garbled circuit with gates where inputs and outputs of the
gates are related by entries in a garbled table, the method comprising
the steps of:using a plurality of exclusive OR (XOR) gates each having
first and second inputs, and an output in a circuit;generating a fixed
global key R based on security parameter N;generating first garbled
values w0 assigned to the first inputs where the values w0 are computed
based on an actual value combined with a random number so that the values
w0 are random;generating non-random second garbled values w1 in the
garbled table assigned to the second inputs where the values w1 are
derived based on an actual value exclusive OR'ed with key R;generating,
for other gates in the circuit that are not XOR gates, garbled values and
corresponding garbled table entries, where entries in the garbled table
are not required for inputs and outputs of the XOR;transmitting the
garbled tables and garblings of active circuit input wires from one party
to another party with whom the one party desires to exchange information
via results produced by the universal circuit where the one party has
private inputs P1 and the another party has private inputs P2, where the
private inputs are not known to the opposite party;calculating at least
one resultant output from the circuit based on the inputs P1 and P2, and
the secure function evaluation as defined by the gates of the circuit.

2. The method of claim 1 where the circuit contains at least one Y
switching block with two inputs A1, A2 and one output B1, the Y switching
block implemented comprising the steps of:receiving input A1 as an input
by first and second 2-input XOR gates;receiving input A2 as an input by
the first XOR gate;coupling the output of the first XOR gate to an input
of an AND gate;coupling a control input to the other input of the AND
gate;coupling the output of the AND gate to another input of the second
XOR gate;the output of the second XOR gate being the output B1.

3. The method of claim 2 further comprising the step of the control input
being a logic zero results in the output B1 being the input A1, the
control input being a logic one results in the output B1 being the input
A2.

4. The method of claim 1 where the circuit contains at least one X
switching block with two inputs A1, A2 and two outputs B1, B2, the X
switching block implemented comprising the steps of:receiving input A1 as
an input by first and second 2-input XOR gates;receiving input A2 as an
input by first and third two-input XOR gates;coupling the output of the
first XOR gate to an input of an AND gate;coupling a control input to the
other input of the AND gate;coupling the output of the AND gate to the
other inputs of the second and third XOR gates;the output of the second
and third XOR gates being the outputs B1 and B2, respectively.

5. The method of claim 4 further comprising the step of the control input
being a logic zero resulting in the outputs B1 and B2 being inputs A1 and
A2, respectively, the control input being a logic one resulting in the
outputs B1 and B2 being inputs A2 and A1, respectively.

6. The method of claim 1 further comprising the step of executing the
circuit by the another party based on the garbled table received from the
one party, inputting the private inputs P2 known by the other party, and
displaying to the other party a resultant value on the at least one
resultant output.

7. The method of claim 1 further comprising the steps of:receiving for
each of the first and second inputs of the XOR gates garbled values
defined by a key k and a permutation bit p;computing a garbled output
value for each XOR gate as two vectors, the first vector being a value
resulting from exclusive OR'ing the key k associated with the first input
with key k associated with the second input of the subject XOR gate,
second vector being the value resulting from exclusive OR'ing the
permutation bit p associated with the first input with the permutation
bit p associated with second input of the subject XOR gate, where said
two vectors define the garbled output value of each XOR gate.

8. A computer implemented method for generating garbled gates with inputs
and outputs that define at least a portion of a circuit that implements a
secure function evaluation, the method comprising the steps of:generating
a fixed global key R based on security parameter N;emulating a first
exclusive OR (XOR) gate having only two inputs (first and second inputs)
and an output, each of the first and second inputs and the output having
associated garbled values defined by two vectors, w0 and w1;setting the
garbled value of the output equal to a value obtained by exclusive OR'ing
the garbled values of the inputs;calculating vector w1 for each of the
first input, second input and output to be equal to the corresponding
vector w0 of the first input, second input and output, respectively,
exclusive OR'ed with R so that the garbled value associated with vector
w1 for each of the first input, second input, and the output differ from
the garbled value associated with vector w0 for each of the first input,
second input, and the output, respectively, by the same
amount;calculating the output vector w1 by using the XOR gate to
exclusive OR the first input vector w1 with the second input vector w0,
whereby implementation of the XOR gate is performed without a requirement
for entries in a garble table associated with inputs and output of the
XOR gate.

9. A switching block with 2-inputs A1, A2, and one output B1 comprising:a
first 2-input XOR gate with one input receiving input A1 and the other
input receiving input A2;a 2-input AND gate with one input receiving the
output from the first XOR gate and the other input receiving a control
input;a second 2-input XOR gate with one input receiving the input A1 and
the other input receiving the output from the AND gate;the output of the
second XOR gate defining output B1.

10. The switching block of claim 9 wherein the control input being a logic
zero results in the output B1 being the input A1, the control input being
a logic one results in the output B1 being the input A2, the switching
block being a Y switching block.

11. The switching block of claim 9 comprising:another output B2 of the
switching block;a third 2-input XOR gate having one input connected to
the output of the AND gate and its other input connected to the input
A2;the output of the third XOR gate being output B2.

12. The switching block of claim 11 wherein the control input being a
logic zero results in the outputs B1 and B2 being inputs A1 and A2,
respectively, the control input being a logic one resulting in the
outputs B1 and B2 being inputs A2 and A1, respectively, and the switching
block being an X switching block.

Description:

BACKGROUND

[0001]This invention relates to electronic transactions, and more
specifically to secure function evaluation (SFE) techniques that provide
privacy to the parties. This invention is especially, but not
exclusively, suited to the SFE of functions implemented by circuits
containing exclusive OR (XOR) gates. A Universal Circuit which contains
many XOR gates can benefit from construction in accord with this
invention. This invention is particularly, but not exclusively, suitable
for evaluation of private functions.

[0002]SFE implementations have been disclosed, e.g. see "Fairplay--A
Secure Two-party Computation System" by D. Malkhi, N. Nisan, B. Pinkas
and Y. Sella, USENIX 2004. Two-party general secure function evaluation
(SFE) allows two parties to evaluate any function on their respective
inputs x and y, while maintaining privacy of both x and y. SFE algorithms
enable a variety of electronic transactions, previously impossible due to
mutual mistrust of participants. Examples include auctions, contract
signing, distributed database mining, etc. As computation and
communication resources have increased, SFE has become practical.
Fairplay is an implementation of generic two-party SFE with malicious
players. It demonstrates the feasibility of SFE for many useful
functions, represented as circuits of up to about 106 gates. Another
example of a SFE protocol implementation is "Y Lindell, B Pinkas, N.
Smart, `Implementing Two-party Computation Efficiently with Security
Against Malicious Adversaries`, SCN 2008".

[0003]The SFE of private functions (PF-SFE) is an extension of SFE where
the evaluated function is known only by one party and needs to be kept
secret (i.e. everything besides the size, the number of inputs and the
number of outputs is hidden from the other party). Examples of private
functions include airport no-fly check function, credit evaluation
function, background- and medical history checking function, etc. Full or
even partial revelation of these functions opens vulnerabilities in the
corresponding process, exploitable by dishonest participants (e.g. credit
applicants), and is desired to be prevented.

The problem of PF-SFE can be reduced to the "regular" SFE by evaluating a
Universal Circuit (UC) instead of a predetermined circuit defining the
evaluated function. A UC can be thought of as a program execution circuit
capable of simulating any circuit C of certain size, given the
description of C as input. Therefore, disclosing the UC does not reveal
anything about C, except its size. The player holding C simply treats the
description of C as an additional (private) input to the SFE.

[0004]A PF-SFE can utilize computer simulated Y and X switching blocks as
illustrated by FIGS. 1 and 2, respectively, interconnected to perform the
required function logic for a programmable permutation network of a UC.
The illustrated Y switching block of FIG. 1 illustrates a single output
that has a value selected to be one of its two inputs. The Y switching
block is controlled to determine which of the two inputs is selected as
the output. The X switching block of FIG. 2 has two outputs and two
inputs where one output receives one of the two inputs and the other
output receives the other input. The X switching block is controlled to
determine which of the first and second inputs appears on the respective
first and second outputs.

[0005]A known SFE implementation of a Y block uses a computer simulation
of a 3-input gate (the two inputs of the Y block, and an additional
control input) with a stored "garbled" table of 23=8 encrypted table
entries. A garbled table contains stored garbled values created using
circuit input/output values that are transformed by mathematically
applying secret values (garbled values) so that a person observing a
garbled value cannot determine the corresponding circuit input/output
values. Each garbled value may define a wire (input, output, control
input) associated with a simulated circuit used to implement a universal
circuit. Similarly, a known X block for use in an SFE implementation
utilizes a computer simulation of two 3-input garbled gates (one for each
of its two inputs) resulting in a garbled table of 2×23=16
table entries. Typical UCs will employ a substantial number of such gates
resulting in a large number of corresponding table entries.

SUMMARY

[0006]It is an object of the present invention to provide a method of
garbled circuit evaluation, where XOR gates are evaluated with minimal
computational and communication effort by the evaluating parties. This
improves the performance of SFE evaluation.

[0007]It is an object of the present invention to provide an
implementation of a UC supporting an SFE where X blocks and Y blocks
utilize primarily XOR gates. This implementation, in conjunction with
almost free processing of XOR gates which is part of an embodiment of
this invention, minimizes the total number of garbled table entries
needed to define the respective circuit blocks of the UC, which improves
performance of SFE evaluation.

[0008]An exemplary computer-implemented method generates a garbled circuit
(e.g. a garbled Universal Circuit--UC), for secure function evaluation,
having garbled tables with entries corresponding to inputs and outputs of
gates of the universal circuit. In case of UC, the circuit is constructed
using primarily XOR gates, each with first and second inputs, and an
output. For each gate of the circuit, first garbled values w0 are
generated in the garbled table and supplied to the first inputs where the
values w0 are computed based on an actual value combined with a random
number so that the values w0 are random. A fixed global key R based on
security parameter N (e.g. N=128 bits) is generated. Non-random second
garbled values w1 are generated in the garbled table and supplied to the
second inputs where the values w1 are derived based on an actual value
exclusive OR'ed with key R. Garbled values in the garbled table
corresponding to the outputs of all possible circuit gates are generated
(XOR gates do not need associated garbled tables, and this achieves
savings in computation). The garbled tables are transmitted from one
party to another party with whom the one party desires to exchange
information via results produced by the universal circuit. The one party
has private inputs P1 and the other party has private inputs P2, where
the private inputs are not known to the opposite party.

[0009]Another embodiment is directed to generating a garbled table suited
to minimize the number of entries needed in the table for each XOR gate
used in a universal circuit.

[0010]Further embodiments are directed to the construction of Y and X
switching blocks that use primarily XOR gates, and are suited for use in
universal circuits.

DESCRIPTION OF THE DRAWINGS

[0011]Features of exemplary implementations of the invention will become
apparent from the description, the claims, and the accompanying drawings
in which:

[0021]One aspect of the present invention resides in the recognition that
known computer simulations of PF-SFE use circuits that require a
substantial number of table entries to define each circuit. More
specifically, independent random garble table entries have been required
for each wire of a circuit in order to provide the desired security of
the function. This causes the total number of table entries required to
simulate an entire circuit to be very large. Embodiments of the present
invention recognize that an exclusive OR construction can be used where
the garbling used for one wire of a pair of wires can be computed based
on the garbling used for the other wire in the pair by exclusive OR'ing
the garble used for the other wire with a random value R. This provides a
substantial reduction of the number of entries in a garble table used in
defining XOR gates, and also Y and X switching blocks in accordance with
an embodiment of the present invention. This results in corresponding
performance improvements.

[0022]FIG. 1 shows a known Y switching block 10 that has two inputs and
one output. The output either receives one of the inputs as shown in
block 12 or receives the other of the inputs as shown in block 14. The Y
switching block 10 can be programmed to select the desired input to be
transferred to its output.

[0023]FIG. 2 shows a known X switching block 16 which has two inputs and
two outputs. The respective inputs can be coupled straight through to a
corresponding output as shown in block 18 or can be cross connected as
shown in block 20. The X switching block 16 can be programmed to select
whether the inputs will be coupled straight through as in block 18 or
cross connected as in block 20.

[0024]In FIG. 3, a computing system 22, suitable for implementing a UC in
accordance with the present invention, includes a microprocessor 24 that
performs processes and tasks based on stored program instructions. It is
supported by read-only memory (ROM) 26, random access memory (RAM) 28 and
nonvolatile data storage device 30. As will be understood by those
skilled in the art, data and stored program instructions in ROM 26 is
typically utilized by microprocessor 24 to initialize and boot the
computing apparatus. An application program, e.g. a program that controls
the implementation of the UC including programming of individual blocks
in the UC and a corresponding garbled table, can be stored in nonvolatile
storage element 30. At least active portions of the application program
will be typically stored in RAM 28 for ready access and processing by
microprocessor 24. A variety of user inputs 32 such as a keyboard,
keypad, and mouse can be utilized to input instructions, e.g. control the
UC structure and its programming. User output devices 34 such as a
display screen and/or printer provide a visual output, e.g. characters,
that represent either information input by the user or information
associated with an interim or final output of the UC. An input/output
(I/O) module 36 provides a communication interface permitting
microprocessor 24 to transmit and receive data with external nodes.
Software that provides the basic circuit emulations for different types
of gates is known in general. Such software can be utilized to construct
UCs in accordance with the described embodiments of the present
invention.

[0025]Consider an SFE implementation of an XOR gate Gi having two
input wires Wa, Wb and output wire Wc. Let N be a security
parameter (e.g. N=128). Garble the wire values as follows and randomly
choose: values as follows: Randomly choose wa0, wb0,
RεR {0, 1}N. Set
wc0=wa0⊕wb0, and
.A-inverted.iε{a, b, c}:wi1=wio⊕R. It is
easy to see that the garbled gate output is simply obtained by XORing
garbled gate inputs:

wc0=wa0⊕wb0=(wa0⊕R)⊕(w-
b0⊕R=wa1⊕wb1

wc1=wc0⊕R=wa0⊕(wb0⊕R)=-
wa0⊕wb1=(wa0⊕R)⊕wb0=w.-
sub.a1⊕wb0.

[0026]Further, garblings wi1 do not reveal the wire values they
correspond to.

[0027]In the above exemplary exclusive OR construction, the garblings of
the two values of each wire in the circuit must differ by the same value:

.A-inverted.i:wi1=wi0⊕R

where R is a fixed global random number that need be set only once. This
should be contrasted to previous garbled circuit constructions in which
all garblings wij were required to be chosen independently at
random.

[0028]Let C be a circuit. XOR gates are constructed as discussed herein.
Further, each XOR-gate with n>2 inputs can be replaced with n-1
two-input XOR gates.

[0029]All other gates are implemented using standard (known) garbled
tables. Namely, each gate with n inputs is assigned a table with 2n
randomly permuted entries. Each entry is an encrypted garbling of the
output wire, and garblings of the input wires serve as keys to decrypt
the "right" output value.

[0030]In the exemplary method described below, each garbling w=(k, p)
consists of a key kε{0,1}N and a permutation bit
pε{0, 1}. The key k is used for decryption of the table entries,
and p is used to select the entry for decryption. The two garblings
wi0, wi1 of each wire Wi are related as required
by the XOR construction:

[0032]The following garbled circuit evaluation algorithm can be
implemented by P2, i.e. the party to whom the function itself is
unknown. P2 obtains all garbled tables and the garbling of P1's
input values from P1.

[0033]A garbled circuit based SFE protocol, such as described below can be
used in conjunction with the above described construction (algorithm 1)
and evaluation (algorithm 2) methods to implement a two-party SFE
protocol.

TABLE-US-00003
Inputs: P1 has private input x = x1,..,xu1 ε
{0,1}u1 and P2 has private
input y = y1,..,yu2 ε {0,1}u2.
Auxiliary input: A boolean acyclic circuit C such that .A-inverted.x
ε {0,1}u1,y ε
{0,1}u2, it holds that C(x,y) = f(x,y), where f :
{0,1}u1× {0,1}u2 →
{0,1}v. We require that C is such that if a circute-output wire
leaves some
gate G, then gate G has no other wires leading from it into other gates
(i.e.,
no circut-output wire is also a gate-input wire). Likewise, a
circuit-input
wire that is also a circuit-output wire enters no gates. We also require
that
C is modified to contain no NOT-gates and all n-input XOR-gates with n
> 2
replaced by 2-input XOR-gates
The protocol:
1. P1 constructs the garbled circut using Algorithm and sends it
(i.e. the
garbled tables) to P2.
2. Let W1,..,Wu1 be the circuit input wires corresponding
to x, and let
Wu1+1,..,Wu1.sub.+u2 be the circuit input
wires corresponding to y. Then
(a) P1 sends P2 the garbled values w1x1,.., .
(b) For every i ε {1,..,u2}, P1and P2 execute a
1-out-of-2 oblivious
transfer protocol, where P1`s input is
(ku1.sub.+i0,ku1.sub.+i1), and P2`s
input
is yi All u2 OT instances can be run in parallel.
3. P2 now has the garbled tables and the garblings of circuit`s input
wire. P2
evaluates the garbled circuit, as described in Alg. and outputs f(x,y).

[0034]FIG. 4 shows a block diagram of an exemplary Y switching block 40 in
accordance with the present invention. One of two inputs (a1, a2) is
selected to appear at the output (b1). An XOR function 42 receives both
inputs and provides an output to a function 44. An XOR function 46
receives a1 as one input and the output of function 44 as its other
input. The output of XOR function 46 consists of the output b1 of this
block. The function 44 may consist of a programmable function with two
output states: a zero state in which its output is a "0" regardless of
its inputs, and an identity state in which its output consists of its
input. A more detailed explanation of how this Y switching block, as well
as the counterpart X switching block, operates is provided below.

[0035]FIG. 5 shows a block diagram of an exemplary X switching block 50 in
accordance with the present invention. It has two inputs (a1, a2) and two
outputs (b1, b2). It provides outputs as explained with regard to FIG. 2.
Each of its inputs are provided as an input to XOR function 52 that
provides its output to function 54 which provides the same functionality
explained above with regard to function 44 of FIG. 4. XOR function 56
receives a1 as one input with the other input being the output of
function 54. XOR function 58 receives a2 as one input with the other
input being the output of function 54. The outputs of XOR functions 56
and 58 consist of the block outputs b1 and b2, respectively.

[0036]FIG. 6 is a schematic diagram of a practical gate implementation of
a Y switching block 60 corresponding to the Y switching block 40 of FIG.
4. Gates 62 and 66 provide XOR functions and gate 64 is an AND gate in
which one input receives a control input P, being either 0 or 1.

[0037]FIG. 7 is a schematic diagram of a practical gate implementation of
an X switching block 70 corresponding to the X switching block 50 of FIG.
5. Gates 72, 76 and 78 provide XOR functions and gate 74 is an AND gate
in which one input receives a control input P, being either 0 or 1.

[0038]The following describes the operation of the switching blocks shown
in FIGS. 4-7 in terms of computer simulated switching blocks forming part
of an SFE utilizing garbled table entries.

[0039]Switching from the implementation of an exemplary UC to the
implementation of exemplary circuits computing integer addition and/or
multiplication, we note that FIG. 8 shows a full adder 80 and FIG. 9
shows an adder for n-bit integers a, b composed from a chain of n full
adder (FA) blocks 82, 84, 86. Adders may be used in GC construction. The
last FA block 86 can be replaced by a smaller half-adder block since
there is no carry forward needed. A FA block 80 has as inputs a carry-in
Ci from the previous FA block and the two input bits ai and
bi. It outputs two bits: carry-out ci+1 and sum si. A
straightforward known implementation of a FA uses two 3-input gates with
2×23=16 encrypted table entries in a GC. We can compute
si using "free" XOR gates and use only one 3-input gate with
23=8 encrypted table entries to compute ci+1. The size of a FA
block, and hence that of an n-bit adder, is reduced by 50% in accordance
with the embodiments of the present invention.

[0040]As circuits for integer multiplication consist of bit-multipliers
(2-input AND gates) and adders, the improved implementation of adders can
directly be used to correspondingly improve integer-multiplication
circuits.

[0041]A similar construction is used to test equality of two n-bit
integers a and b. Now, the computation of si is not needed and the
carry bits are used as inequality flags. A simple known implementation
uses two 2-input gates or one 3-input gate (each costs 8 encrypted table
entries). Free XOR gate reduces the cost to that of one 2-input OR gate
(4 encrypted table entries). Thus, the size of equality test block can be
reduced by 50%.

[0042]The apparatus in one example employs one or more computer readable
signal-bearing tangible media. The computer-readable signal-bearing media
store software, firmware and/or assembly language for performing one or
more portions of one or more embodiments of the invention. The
computer-readable signal-bearing medium for the apparatus in one example
comprise one or more of a magnetic, electrical, optical, biological, and
atomic data storage tangible medium. For example, the computer-readable
signal-bearing medium may comprise floppy disks, magnetic tapes, CD-ROMs,
DVD-ROMs, hard disk drives, and electronic memory.

[0043]Although exemplary implementations of the invention have been
depicted and described in detail herein, it will be apparent to those
skilled in the art that various modifications, additions, substitutions,
and the like can be made without departing from the spirit of the
invention.